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(57) Abstract 



By establishing a secure channel from a client to a back-end resource a^r the client is authenticated, both security and authentication 
can be achieved. Before access is permitted, two levels of audientication are provided by first seeking a client-side certificate and then 
having the client subsequently decrypt an encrypted message. Authorization for access to a hack-end resource can be controlled by requiring 
a transaction-specific authorization device provided to ttie client in the encrypted message. 
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SECURE AUTHENTICATION FOR 
ACCESS TO BACK-END RESOURCES 

Technical Field and Background Art 

5 This application claims the benefit of U.S. Provisional Application 

no. 60/1 06,290. filed October 30, 1 998. 

Traditionally, access to back-end resources, such as corporate 
databases, has been accomplished within secure mainframe environments 
or other internal networks. In such settings, security and user authentication 

10 are achieved with a high degree of reliability. 

With the advent of the Internet, remote users need to access such 
resources from outside the protected environment. However, when these 
resources are accessed over the Internet, additional measures are required 
to provide assurances of security and user authentication. 

15 

Brief Description of the Drawings 

Figure 1 is a block diagram of a system providing security and 
authentication; 

Figure 2 is a flow chart of the operation of the system of Figure 1 . 

20 

Modes for Carrvino Out the Invention 

Data security and user authentication can be achieved in an Internet 
environment by establishing a secure channel from the user or client to the 
back-end resource and then by providing an authorization device which the 
25 user in turn employs to access the back-end resource. 

In one configuration, illustrated in the block diagram of Figure 1, a 
client 10, using an Internet browser 12 equipped with the means necessary 



( 
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to create a secure session, accesses a back-end system 20 on which a back- 
end resource 22 resides, through a client-accessible system 30. The back- 
end resource 22 may be a database or some other source of data or device 
that the client wishes to access. 

5 The interconnection 14 between the client 10 and the client- 

accessible system 30 can be over a network such as the Internet or through 
some other medium. Similarly, the link 16 between the client-accessible 
system 30 and the back-end system 20 can be over a network such as the 
Internet or through some other data link. 

10 The process has two parts: first, a secure connection is established 

and the client is authenticated and. second, the client accesses the desired 
information. A secure connection from the client 10 to the back-end 
system 20 can be created using a secure protocol such as SSL (secure 
socket layer). Software resident on the client-accessible system 30. 

15 designated a router 34. and on the back-end system 20. designated an 
enabler 24, allows the establishment of the secure session from the client 1 0 
to the back-end system 20 using well-known techniques for the purpose of 
authenticating the client 10. In the case of SSL. a public key certificate, 
attesting to and establishing the identity of the client 10. is requested from 

20 the client by the enabler 24. The public key certificate is then used by the 
back-end system 20 to create the secure session. As is customary in SSL, 
the enabler 24 also provides a certificate to the client 10. 

The process begins with a query from the client 10. To acquire a 
specific piece of infomnation from the back-end resource 22. the client 10 

25 enters a pre-determined URL on its internet browser 1 2 specifying a port on 
the client-accessible system 30 linked to the router 34. The URL may 
assume the following form: 
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https://hostname:7777/abc.cgi 
The "https" designation within the above URL indicates that a secure session 
in this example, SSL - is to be established between the browser 12 and 
the client-accessible system 30. Since the URL specifies "hostname:7777." 

5 the browser 12 will create a secure session at port 7777 of the destination 
known as "hostname." That port indicates the location of the router 34, which 
passes the query to the enabler 24. 

Once a secure session is created between the client 1 0 and the back- 
end system 20. the browser 12 sends along the rest of the URL (e.g.. 

1 0 "abccgi"), the actual request, through the router 34 in encrypted form. Note 
that all information exchanged from hereon out is encrypted. The request, 
"abccgi." is the name of the routine that will retrieve the information from the 
back-end resource 22. The router 34 passes this encrypted message to the 
enabler 24 on the back-end system 20. The enabler 24 decrypts the request 

1 5 and determines whether the request will be authorized and access pemnitted. 

Assuming that the client 10 is authorized entry, the enabler 24 will 
send a message back to the client 10 over the secure connection. The 
message can contain a redirection command such as a new or redirect URL, 
sending the client 10 to a different port on the client-accessible system 30, 

20 or to an entirely different client-accessible system, through which the desired 
information will be provided. The redirect URL may be of the form: 

https://hostname/abc.cgi?{W} 
Again, abc.cgi is the routine for retrieving the information. The redirect URL 
may also contains an authorization device, designated W in the URL above. 

25 One such authorization device can be a web ticket. This authorization 
device or web ticket is the permission from the back-end resource 22 
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allowing the web-server 32 to act on behalf of the client for the purpose of 
accessing the requested information. 

When the client 10 receives the messages with the authorization 
device or web ticket, it arrives of course in encrypted fonn. By virtue of the 
5 act of decrypting the message (in SSL, using the originally-created session 
key), the client 10 has further authenticated itself. Thus, the process 
described here offers dual authentication, once upon creating the secure 
session and again when the client 10 decrypts the redirect message. 

The client 10 then goes to the new or redirect URL, entering a 
10 presentation server such as a a web-server 32 on the original client- 
accessible system 30 through a different port (e.g., port 443 - the default 
secure port) or perhaps another web-server residing on a different system. 
For purposes of this discussion, the presentation server will be referred to as 
a "web-server" hereafter, but it should be understood that the depicted web- 
1 5 server may be any suitable device. 

The redirect URL also contains an "https" designation, indicating that 
a secure session is to be created between the web-server 32 and the 
client 1 0. The authorization device or web ticket is forwarded to the back- 
end system 20 and, if the authorization device is deemed to be valid, the 
20 request is honored. The requested information is then passed from the back- 
end resource 22 to the web-server 32, which generates a web page 
containing the infonnation. This page is then sent to the client 10 via the 
secure connection. 

The web ticket may include a time stamp to limit the time of its validity. 
25 Alternatively, the authorizing elements of the web ticket can be changed after 
a period of time, effectively invalidating the web ticket at the time of the 
change, or it may be usable only once. 



wo 00/27089 



PCTAJS99/25215 



-5- 

The foregoing method can be used with multiple back-end resources 
and/or client-accessible systems. For example, the client accessible system 
could have multiple routers. Further, the method can be used in a system 
with multiple layers of client-accessible systems, i.e., web-servers, 
5 application servers, and the like. Where there are multiple layers, the 
method is repeated in "nested" fashion, repeating the process of establishing 
a secure session, exchanging certificates, and providing a redirect with an 
authorization device at each layer until the last layer, a back-end resource, 
is reached. 

10 In the foregoing examples, SSL is used to create a secure session. 

Other schemes could be employed to achieve the same purpose. 
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What is claimed is: 

1 . A method for pemiitting a client to access a back-end resource 
via network-based client-accessible systems comprising web-servers, 
comprising the steps of: 

5 establishing a first secure connection between the client and the back- 

end system via a client-accessible system, the step of establishing a first 
secure connection comprising the step of obtaining client authentication; 

initiating a request by the client for information from the back-end 
resource; 

10 generating an authorization device and redirection command; 

passing the authorization device and the redirection command to the 

client; 

establishing a second secure connection between the client and a 
web-server according to the redirection command; 
1 5 presenting the authorization device to the back-end system; 

passing the information from the back-end resource to the web-server; 

and 

passing the information from the web-server to the client via the 
second secure connection. 

20 

2. A method as set forth in claim 1 . where the step of obtaining 
client authentication comprises the steps of providing a client certificate to 
the back-end resource and using the client certificate to create the secure 
session. 

25 

3. A method as set forth in claim 1 , further comprising the step of 
encrypting the authorization device and redirection command prior to the 
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step of passing the authorization device and redirection command to the 
client. 

4. A method for establishing a secure connection between a client 
5 and a back-end system via network-based client-accessible systems 

comprising web-servers, comprising the steps of: 

establishing a first secure connection between the client and the back- 
end system via a client-accessible system, the step of establishing a first 
secure connecfion comprising the step of obtaining client authenfication; 
10 inifiating a request by the client for informafion from the back-end 

resource; 

generating an authorization device and redirection command; 
passing the authorization device and the redirection command to the 

client; 

15 establishing a second secure connection between the client and a 

web-server according to the redirection command; and 

presenting the authorization device to the back-end system. 

5. A method as set forth in claim 4, where the step of obtaining 
20 client authentication comprises the steps of providing a client certificate to 

the back-end resource and using the client certificate to create the secure 
session. 

6. A method for authorizing remote client access to a back-end 
25 resource via a web-server on a network, comprising the steps of: 

generafing an authorization device; 
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passing the authorization device to the client through a first secure 
connection; 

establishing a second secure connection between the client and a 
wet)-server, 

5 passing the authorization device to the web-server via the second 

secure connection; 

passing the authorization device from the web-server to the back-end 
resource; 

passing the information from the back-end resource to the web-serven 

10 and 

passing the information from the web-server to the client via the 
second secure connection. 

7. A method as set forth in claim 6. further comprising the step of 
15 encrypting the authorization device and redirection command prior to the 

step of passing the authorization device and redirection command to the 
client. 

8. A system for establishing a secure connection between a client 
20 and a back-end resource; comprising: 

a back-end system comprising 
the back-end resource; and 
an enabler. the enabler comprising 

means for authenticating the client; and 
25 means for authorizing retrieval of information for 

the client; and 

at least one network-based client-accessible system comprising 
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at least one web-server; and 

a router comprising means for communicating with the 
client and the enabler. 

5 9. A system as set forth in claim Q, where the means for 

authenticating the client comprises means for receiving a certificate of 
authentication from the client via the router. 

10. A system as set forth in claim 8, where the means for 
10 authorizing retrieval comprises means for generating an authorizing device 
for receipt by the client via the router and subsequent presentation to the 
back-end system. 
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